<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
</head>
<body>
  <script>
    var img = document.createElement("img");
    img.src = "/content-security-policy/support/pass.png";
    img.onload = function() { parent.postMessage('img loaded', '*'); }
    img.onerror = function() { parent.postMessage('img not loaded', '*'); }
    document.body.appendChild(img);
  </script>
</body>
</html>
